What is the CVSS score of CVE-2026-24222?

CVE-2026-24222 has a CVSS 3.1 base score of 8.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of NVIDIA NeMoClaw are affected by CVE-2026-24222?

NVIDIA NeMoClaw contains a critical sandbox bypass vulnerability (CVE-2026-24222, CVSS 8.6) that allows remote attackers to extract sensitive host environment variables through malicious prompts,…

NVIDIA NeMoClaw CVE-2026-24222

EUVD-2026-26079 HIGH

Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)

2026-04-28 nvidia

Information Disclosure Nvidia

8.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Re-analysis Queued

Apr 28, 2026 - 20:23 vuln.today

cvss_changed

Analysis Generated

Apr 28, 2026 - 20:01 vuln.today

EUVD ID Assigned

Apr 28, 2026 - 19:30 euvd

EUVD-2026-26079

Analysis Generated

Apr 28, 2026 - 19:30 vuln.today

CVE Published

Apr 28, 2026 - 17:46 nvd

HIGH 8.6

DescriptionNVD

NVIDIA NeMoClaw contains a vulnerability in the sandbox environment initialization component, where a remote attacker could cause improper access control by sending prompt-injected content that causes the agent to read and exfiltrate host environment variables not properly restricted during sandbox creation. A successful exploit of this vulnerability might lead to information disclosure.

AnalysisAI

Remote unauthenticated attackers can exfiltrate sensitive host environment variables from NVIDIA NeMoClaw by injecting malicious prompts that bypass sandbox access controls. The vulnerability affects the sandbox initialization component and enables information disclosure without requiring any authentication or user interaction (CVSS 8.6, AV:N/AC:L/PR:N/UI:N). …

RemediationAI

Within 24 hours: Identify all systems running NVIDIA NeMoClaw and isolate instances accepting untrusted user input from network access or restrict to trusted internal users only. Within 7 days: Contact NVIDIA support for patch availability and timeline; implement compensating controls listed below if patching is delayed. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory